In the DOM We Trust: The Hidden Dangers of Reading the DOM on the Web [pdf] (opens in new tab)

As a neophyte, I failed to see them demonstrate injection. They seem to model what injection would mean, but not show how the threat actor got into the flow.

Probably for non neophytes who this is aimed at, that's a given.